Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!

China:

Fact:

China's Ministry of Public Security and the Cyberspace Administration of China ('CAC') issued an administrative penalty to fashion company DIOR for non-compliant transfer of personal data outside of China, which in addition lead to a data leak in May.

Investigators found that DIOR's Shanghai entity transmitted customers' personal information  to the DIOR's headquarters in France without conducting a safety assessment of the outbound transfer, signing a standard contract, or obtaining certification for personal information protection. Also, DIOR did not inform its Chinese customers about the transfer and didn't ask their consent, and did not encrypt or de-identify their personal data.

Read article from China Daily here: https://www.chinadaily.com.cn/...

Takeaway:

In addition to the classic obligations set by privacy laws in EU/EEA/UK/CH (e.g. inform people, encrypt data, conduct a risk assessment)., China mandates to comply with other specific rules: be sure to ask advice to an expert before transferring personal data outside of China. Here DIOR didn't even comply with the requirements from European privacy laws.

Estonia:

Fact:

The Estonian's Data Protection Authority ('DPA') fined the pharmaceutical wholesaler Allium UPI €3,000,000 over a large-scale data breach involving personal information about pharmaceutical purchases: the personal details of a large number of Apotheke customers who joined the loyalty programs between 2014 and 2020 as well as detailed information about their pharmaceutical purchases:  first and last name, personal identification number, language, gender, email address, phone number, home address. The DPA stated that Allium UPI failed to implement sufficient security measures, like multi-factor authentication. Read more or edit on GDPRhub...

Takeaway:

Your organisation should implement the basic IT and organisational security measures, as recommended by ISO 27001, or local IT Cybersecurity national agencies.

United Kingdom:

Fact:

The U.K. Information Commissioner's Office issued a 6,540 GBP fine  to Bridlington Lodge Care Home after Director Jason Blake allegedly refused to comply with a subject access request  from a resident's family member and deleted relevant data connected to the patient without permission.

In this case, the daughter had the authority to request this information on her father’s behalf due to a lasting power of attorney. The personal information requested included incident reports, copies of CCTV footage and notes relating to her father’s care. 

Full story: Care home director found guilty of ignoring request for personal information | ICO

Takeaway:

First, it is mandatory to reply to a subject access request within one month, and

second, patient data should not be deleted without the consent of the patient or its family, in order to allow the daughter to receive a copy or to access such personal data before it is deleted.

September has been a vey busy and creative month!

• ICH E6 R3 Consultation: Australia's Therapeutic Goods Administration ('TGA') made annotations to ICH E6(R3) "Guideline for Good Clinical Practice (GCP)": Submit your comments before 10 October 2025 Close of Business, see here:
  https://consultations.tga.gov....
  "ICH E6(R3) Guideline for GCP: Principles and Annex I with TGA annotations" are expected to be adopted in January 2026. To support implementation, a 12-month transition period is proposed, allowing sponsors, trials sites and other stakeholders time to meet the updated requirements. The timelines provided are indicative. Following the consultation and consideration of stakeholder feedback, the key adoption and transition dates will be announced on our webpage ICH Guideline for Good Clinical Practice and promoted on our social media.
• The UK ICO released very good and clear encryption guideline, Click Here to Read the Full Version
• EU-Brazil adequacy on EDPB plenary agenda - The European Data Protection Board published its agenda for its 11 Sept. plenary meeting. Major agenda items include reviewing the European Commission's draft adequacy agreement with Brazil - Read the agenda NB: the EDPB didn't publish the meeting minutes yet.
• India: the Digital Personal Data Protection Act ('DPDPA') rules will be unveiled before 28 September 2025 - Read the Full Article Here
• EU: Interplay between GDPR and the Digital Services Act ('DSA'): the European Data Protection Board (EDPB) has adopted guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). the DSA complements the rules of the GDPR with regards to to online intermediary services, such as search engines and platforms. Read the Full Press Release.
• California: covered organizations will have to perform a Cybersecurity audit before 1st April 2028 (depending on the size of the organization) the California Privacy Protection Agency (CPPA) announced on 23 Sept 2025, together with new rules on risk assessments and automated decision making technology (ADMT); These new regulations go into effect January 1, 2026 - Read More
• Maryland's Online Data Privacy Act set to take effect 1 Oct. It has a specificity for Sensitive Personal Information ('SPI'): instead of requiring the expressed consent of people as in other US states, Maryland bans the collection, processing, or sharing of SPI unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.”
• FDA's updated guidance for Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions was issued in June, see here: https://www.fda.gov/regulatory...
• New Zealand passed the Privacy Amendment Act on 24 September 2025. The main change is the new Information Privacy Principle 3A (IPP3A): Under new IPP3A, if an agency (business or organisation) collects an individual’s personal information from someone other than the person themselves (i.e. indirectly), then that agency is required to tell the person, unless an exception applies, see details here: https://www.privacy.org.nz/tuh...